Strongswan
將 strongswan 與 pkcs11 和 yubikey 一起使用
我正在嘗試在我的企業中部署新的 VPN 配置。
我已經在證書模式下成功地在我的電腦和我的 vpn ipsec 伺服器之間建立了連接。
我在我的 yubikey 中上傳了 p12 文件,其中包含我的私鑰、伺服器的 pub 密鑰和 CA。
$ pkcs11-tool --test --login Using slot 0 with a present token (0x0) Logging in to "uid=r.beal,dc=ldap-...". Please enter User PIN: C_SeedRandom() and C_GenerateRandom(): seeding (C_SeedRandom) not supported seems to be OK Digests: all 4 digest functions seem to work MD5: OK SHA-1: OK RIPEMD160: OK Signatures (currently only for RSA) testing key 0 (PIV AUTH key) all 4 signature functions seem to work testing signature mechanisms: RSA-X-509: OK RSA-PKCS: OK SHA1-RSA-PKCS: OK MD5-RSA-PKCS: OK RIPEMD160-RSA-PKCS: OK SHA256-RSA-PKCS: OK Verify (currently only for RSA) testing key 0 (PIV AUTH key) RSA-X-509: OK RSA-PKCS: OK SHA1-RSA-PKCS: OK MD5-RSA-PKCS: OK RIPEMD160-RSA-PKCS: OK Decryption (currently only for RSA) testing key 0 (PIV AUTH key) RSA-X-509: OK RSA-PKCS: OK No errors我在 swanctl.conf 文件中添加了這一部分:
secrets { tokenyubikey { pin = 123456 slot = 0 handle = 1 # From what i understood, it's here that my crt is module = yubi-module } }在 /etc/strongswan.d/charon/pkcs11.conf 文件中的這一部分:
yubi-module { #path = /usr/lib/libykcs11.so path = /usr/lib/pkcs11/opensc-pkcs11.so }當我使用 yubikey pkcs11 模組時:
00[CFG] PKCS11 module '<name>' lacks library path 00[CFG] loaded PKCS#11 v2.40 library 'yubi-module' (/usr/lib/libykcs11.so) 00[CFG] Yubico (www.yubico.com): PKCS#11 PIV Library (SP-800-73) v2.21 00[CFG] found token in slot 'yubi-module':0 (Yubico YubiKey OTP+FIDO+CCID 00 00) 00[CFG] YubiKey PIV #16616360 (Yubico (www.yubico.com): YubiKey YK5) 00[CFG] loaded untrusted cert 'X.509 Certificate for PIV Authentication' 00[CFG] loaded untrusted cert 'X.509 Certificate for PIV Attestation'當使用模組為 opensc 時:
00[CFG] PKCS11 module '<name>' lacks library path 00[CFG] loaded PKCS#11 v2.20 library 'yubi-module' (/usr/lib/pkcs11/opensc-pkcs11.so) 00[CFG] OpenSC Project: OpenSC smartcard framework v0.22 00[CFG] found token in slot 'yubi-module':0 (Yubico YubiKey OTP+FIDO+CCID 00 00) 00[CFG] uid=r.beal,dc=ldap-.. (piv_II: PKCS#15 emulate) 00[CFG] loaded untrusted cert 'Certificate for PIV Authentication'我應該使用哪個模組?
當我執行 ipsec 守護程序時
# ipsec restart --nofork Starting strongSwan 5.9.3 IPsec [starter]... 00[DMN] Starting IKE charon daemon (strongSwan 5.9.3, Linux 5.14.15-arch1-1, x86_64) 00[CFG] PKCS11 module '<name>' lacks library path 00[CFG] loaded PKCS#11 v2.20 library 'yubi-module' (/usr/lib/pkcs11/opensc-pkcs11.so) 00[CFG] OpenSC Project: OpenSC smartcard framework v0.22 00[CFG] found token in slot 'yubi-module':0 (Yubico YubiKey OTP+FIDO+CCID 00 00) 00[CFG] uid=r.beal,dc=ldap-.. (piv_II: PKCS#15 emulate) 00[CFG] loaded untrusted cert 'Certificate for PIV Authentication' 00[CFG] attr-sql plugin: database URI not set 00[NET] using forecast interface wlan0 00[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' 00[CFG] loaded ca certificate "C=FR, ST=Idf, L=City, O=company, OU=company, CN=company, E=admin@company.fr" from '/etc/ipsec.d/cacerts/ca.pem' 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' 00[CFG] loading crls from '/etc/ipsec.d/crls' 00[CFG] loading secrets from '/etc/ipsec.secrets' 00[CFG] sql plugin: database URI not set 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory 00[CFG] loaded 0 RADIUS server configurations 00[CFG] HA config misses local/remote address 00[CFG] no script for ext-auth script defined, disabled 00[LIB] loaded plugins: charon ldap pkcs11 aesni aes des rc2 sha2 sha3 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ntru drbg newhope bliss curl mysql sqlite attr kernel-netlink resolve socket-default bypass-lan connmark forecast farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp radattr unity counters 00[LIB] dropped capabilities, running as uid 0, gid 0 00[JOB] spawning 16 worker threads 06[IKE] installed bypass policy for 172.17.0.0/16 06[IKE] installed bypass policy for 192.168.1.0/24 06[IKE] installed bypass policy for ::1/128 06[IKE] installed bypass policy for fe80::/64 02[CFG] found token in slot 'yubi-module':0 (Yubico YubiKey OTP+FIDO+CCID 00 00) 02[CFG] uid=r.beal,dc=ldap-.. (piv_II: PKCS#15 emulate) 02[CFG] loaded untrusted cert 'Certificate for PIV Authentication' charon (10359) started after 120 ms 11[CFG] received stroke: add connection 'test' 11[CFG] loaded certificate "C=FR, ST=Idf, L=City, O=company, OU=company, CN=uid=r.beal,dc=ldap,dc=company,dc=fr, E=r.beal@mail.fr" from '/etc/swanctl/x509/r.beal.pem' 11[CFG] id 'UID=r.beal, DC=ldap, DC=company, DC=fr' not confirmed by certificate, defaulting to 'C=FR, ST=Idf, L=City, O=company, OU=company, CN=uid=r.beal,dc=ldap,dc=company,dc=fr, E=r.beal@mail.fr' 11[CFG] added configuration 'test'智能卡存在!
現在我正在嘗試連接到 VPN (/etc/ipsec.conf):
conn test right=1.2.3.4 <= the public ip of my vpn server rightid=remote_id_of_the_server leftcert=/etc/swanctl/x509/r.beal.pem leftid=my_mail left=%defaultroute #leftcert=%smartcard auto=add我把 CA 放在 /etc/ipsec.d/cacerts/
ipsec 日誌:
01[CFG] received stroke: initiate 'test' 09[IKE] initiating IKE_SA test[1] to 1.2.3.4 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] 09[NET] sending packet: from 192.168.1.199[500] to 1.2.3.4[500] (1000 bytes) 10[NET] received packet: from 1.2.3.4[500] to 192.168.1.199[500] (38 bytes) 10[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] 10[IKE] peer didn't accept DH group ECP_256, it requested MODP_2048 10[IKE] initiating IKE_SA test[1] to 1.2.3.4 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] 10[NET] sending packet: from 192.168.1.199[500] to 1.2.3.4[500] (1192 bytes) 06[NET] received packet: from 1.2.3.4[500] to 192.168.1.199[500] (481 bytes) 06[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(CHDLESS_SUP) ] 06[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 06[IKE] local host is behind NAT, sending keep alives 06[IKE] remote host is behind NAT 06[IKE] received cert request for "C=FR, ST=Idf, L=City, O=company, OU=company, CN=company, E=admin@company.fr" 06[IKE] sending cert request for "C=FR, ST=Idf, L=City, O=company, OU=company, CN=company, E=admin@company.fr" 06[IKE] no private key found for 'C=FR, ST=Idf, L=City, O=company, OU=company, CN=uid=r.beal,dc=ldap,dc=company,dc=fr, E=r.beal@mail.fr'連接開始了!我應該怎麼做才能讓 ipsec 使用我智能卡中的私鑰?
我看到這篇文章:“NO_PROPOSAL_CHOSEN”嘗試使用 swanctl 使用智能卡的證書進行身份驗證時 我有同樣的問題嗎?我試圖複製 x509 目錄中的所有證書,但我有同樣的錯誤“找不到私鑰”。
編輯 ===
現在,當我呼叫“swanctl –load-creds”時,ipsec 會找到私鑰並使用它!
但是我現在有網路問題。
16[IKE] authentication of 'compagny.com' with RSA_EMSA_PKCS1_SHA2_256 successful 16[IKE] IKE_SA test[1] established between 192.168.1.199[r.beal@mail.fr]...1.2.3.4[compagny.com] 16[IKE] scheduling reauthentication in 10059s 16[IKE] maximum IKE_SA lifetime 10599s 16[CFG] handling UNITY_SPLITDNS_NAME attribute failed 16[CFG] handling INTERNAL_IP4_NETMASK attribute failed 16[IKE] installing DNS server 172.22.0.17 to /etc/resolv.conf 16[IKE] installing new virtual IP 10.66.0.5 16[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built 16[IKE] failed to establish CHILD_SA, keeping IKE_SA 16[IKE] received AUTH_LIFETIME of 20278s, reauthentication already scheduled in 10059s我添加到我的 conf 文件中:
leftsourceip=%config我的 VPN 伺服器配置為不路由客戶端的網際網路流量。所以我認為現在是網路配置問題。
解決方案是將 rightsubnet 設置為 0.0.0.0/0
感謝ecdsa!